Sony (SNE) CEO Howard Stringer wondered if any company is 100 percent secure. And he already has his answer: Only two days after Sony brought its PlayStation Network online after shutting it down for weeks because of a security breach, PSN has already been hacked again.
Oh, the irony, especially as Stringer called the previous attacks a hiccup in Sony's online strategy. Unfortunately, the hiccups can last a long time. That's the new security reality for corporations, whether running online services like Sony or marketing mobile operating systems like Google's (GOOG) Android. And it's high time that companies accepted reality and changed how they develop products and services. The days of treating security as an afterthought, something bolted on to software or a Web site, are over.
As BNET's Constantine von Hoffman noted, Stringer has tried to defend Sony by saying that there are other companies that are worse. PSN security is was fine because nothing had happened in the previous five years.
Uh, Sir Howard, did you forget about a high profile PSN security breach in 2008 when hackers were able to get access to personal detail of users? Oh, don't mention it, really. I'm happy that a Google search could remind you that security is not a one-time expense or effort.
Pretending the problem doesn't exist
Sony wants to pretend that it doesn't have a security problem. After all, they are so ... embarrassed (not to mention hoping to avoid grilling by regulators and investors). That's why Congress had to send a second letter to the company seeking answers to some questions.
But let's not point at Sony and pretend that it is different from other corporations. Executives don't like to dwell on problems. These type A people hate failure, and corporations love winners. Security is, by definition, the ongoing contemplation of your weaknesses. It's a humbling process that never ends.
Look at the recent discovery of yet another major security flaw in Android. Although fixed in the latest update, an estimated 99.7 percent of devices running the software use an older version, and so are vulnerable. It's just another plot twist in the ongoing saga that is security for Android -- or iPhone or Symbian or Windows Phone or any other mobile operating system.
What security-from-the-ground-up looks like
Companies develop software, adding one feature after another, and then think about security. However, given the current complexity of code, a retrospective approach should go out the window. A Sony or Google shouldn't be working after the fact. Why didn't Sony hire three security firms to check things before a problem occurred -- or at least after the one in 2008? Why couldn't Google figure out that sending authentication tokens in the clear over unencrypted Wi-Fi links could be a problem? That kind of knowledge has been around for many years.
The ridiculous thing is that for all these companies, the cost of thorough code security reviews would be no more than a rounding error in their R&D budgets. Why play catch up? Solving problems after the fact costs more and can create negative PR on a vast scale. Time to stop pretending and realize what developing technical products and services should mean.
- Sony's Lame Defense of PlayStation Breach: Everyone Else Is Worse
- Sony's Latest Statement on ID-Data Loss: A Classic of the Corporate Non-Apology
- Sony's Security Snafu: How Other Companies Can Make Hay of Its Total Cock-Up
- Sony Plays Its Chump Card: Lack of Security Makes the Xbox Look Good